butler at globeserver.com
Fri Jun 20 15:47:33 IST 2008
Thanks for all of the input so far - I'll try to digest it over the
I would have gotten to it before now, but my 7 year old son broke his
leg a few days ago. Life happens......
On Jun 19, 2008, at 2:12 AM, Scott Silva wrote:
> on 6-18-2008 6:27 PM Philip Butler spake the following:
>> Hi all,
>> This may have been discussed here before, but I am going to throw
>> it out again...
>> I have set up a few "mailbag" machines for some of my customers to
>> grab their incoming email and process it for spam. This then goes
>> into POP mailboxes and their mail servers then grab the mail. The
>> intent is that it be a black-hole for spam and takes some of the
>> load off of their systems. A while back, I determined that most
>> spam (for these customers anyway) was being marked with a spamscore
>> of about 20, so I set the spam threshold on these mailbag machines
>> to be 15.
>> These machines run MailScanner (of course), SpamAssassin, and Razor.
>> Everything works fine and transparently most of the time, but
>> occasionally (i.e. the last few days), email is coming in and
>> clogging the MailScanner incoming queue. I havent' measured, but
>> at times it's around 1 new message per second. At times there may
>> be 10-15 thousand messages waiting to be processed. If left alone,
>> it doesn't seem to correct itself. What I have done is transferred
>> 10k messages or so from the machine that clogs up to another
>> machine and then they get processed quickly. This almost seems to
>> be a DNS-type problem with RBL lookups or something.
>> I have tried to figure out where the messages are coming from, but
>> I don't see a pattern. If most messages were coming from a handful
>> of machines, then I would just put an IP-filter on them and drop
>> any packets from them. Unfortunately, I have not seen any pattern
>> - so I am back to square one.
>> Any ideas as to what I should check, etc. to figure out why these
>> customers are being excessively spam-bombed. This seems to happen
>> maybe once every month or two - then it goes away.
> Have you tried anything like connection rate throttling?
> It is probably a large chain of spambots, and their IP's change
> fairly frequently. Limiting how many connections that can come from
> one IP should help some. You can try to collect addresses and
> blackhole them, but they will probably stop shortly as they go on to
> their next target.
> If you are using sendmail this page could help;
> I'm sure there are similar features in Exim or Postfix, but I
> haven't come over to the "dark side" yet so I don't know their
> secret incantations.
> MailScanner is like deodorant...
> You hope everybody uses it, and
> you notice quickly if they don't!!!!
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> Before posting, read http://wiki.mailscanner.info/posting
> Support MailScanner development - buy the book off the website!
More information about the MailScanner